Stall. Interaction. Environment Check. Fingerprint. Sleep.

Stalling**

Analysis system can only spend limited amount of execution time, therefore time out occurs while stalling code runs

Authors design code to take longer to execute in analysis environment vs. actual environment, therefore what can take minutes in analysis will take seconds on the host

Interaction**

Technique: Malware determines whether it is on a real-live PC by lying dormant until predetermined human interaction is initiated.

In depth: Some common human interactions the malware looks for:

Human scrolling: User must scroll to a predetermined place in a file, this circumvents random or pre-programmed mouse movements to activate

Click count: Waits until a predetermined amount of clicks are taken, this circumvents analysis engines that may initiate a single click to try to activate

Mouse speed: Looks for suspiciously fast movement, this circumvents an analysis engine that will scroll at speeds faster than is humanly comprehensible

Environment Check**

Technique: Malware checks the environment for a virtual machine or well-known registry keys/files that would signify a sandbox.

In depth: Malware analyzes whether certain OS versions, apps, keys, files, directories, etc., are present and waits to run malicious code. Some malware even go to the extent of waiting until an internet connection is present. If malware's predetermined conditions aren't present, it may terminate. In a virtual environment, malware will conduct similar checks and modify its behavior accordingly, making analysis more difficult.

Host Fingerprinting**

Technique: Malware computes a unique host fingerprint upon arrival in environment. When malware starts execution, a new host fingerprint is computed and compared against original to determine if in a different environment.

In depth: When analysis engines try to analyze in an environment that is even remotely different than where initial contact was made, the malware can detect the change and take a different set of actions to avoid revealing malicious intent.

Sleep**

In depth: Even beyond adding extended sleeps calls to the code, sometimes triggers are added to delay malware execution to a later time and date. During the monitoring process the sandbox detects nothing malicious and moves on.

Security teams need to rethink their people-process-technology mixes and strengthen them to defeat these new threats, which are on the upswing.

A new approach - an innovative combination of threat intelligence and next-generation sandboxing - can help businesses enhance their security postures to outsmart and outmaneuver attackers.
Sources:
*Ponemon Institute, "2014 A Year of Mega Breaches" January 2015, survey of 735 IT and IT security practitioners about the impact of the Target and other mega breaches on their IT budgets and compliance practices as well as data breaches their companies experienced.
**Lastline, Inc.